At Palitto Consulting Services, we work alongside public sector and regulated organizations that need clear, practical technology and security guidance. We know most local teams are balancing limited time, lean staffing, and growing compliance expectations. Our role is to make this easier by helping you move from uncertainty to a clear plan.
If you are part of an Ohio county, township, municipality, school district, public health organization, or other local entity, you have likely heard about Ohio House Bill 96 and the cybersecurity requirements now reflected in Ohio Revised Code 9.64.
The good news is that you do not need to be a cybersecurity specialist to make strong progress. You need a practical roadmap, clear ownership, and support that fits your organization.
Who This Applies To
HB 96 applies to political subdivisions in Ohio, which typically include counties, cities, villages, townships, and other local government entities. Organizations such as K12 public schools, public higher education, and public health organizations are commonly impacted groups.
If you are unsure whether your organization falls within scope, Palitto Consulting Services can help you quickly and confidently confirm applicability.
What the Law is Asking Your Organization to Do
At a high level, ORC 9.64 expects local entities to establish a cybersecurity program aligned with recognized best practices, often mapped to frameworks such as NIST and CIS.
In practical terms, your team should be able to answer questions like these.
- What systems and services are most critical to operations
- What risks could disrupt service delivery and what would the impact be
- How threats are detected
- How incidents are handled and by whom
- How recovery and continuity decisions are made
- How employee training is assigned and tracked by role
The law outlines program elements such as risk identification, threat detection, incident response, recovery planning, and training expectations.
The Reporting Timelines that Require Preparation Now
ORC 9.64 establishes incident notification timelines after discovery of a cybersecurity incident or ransomware incident.
- Notify the Ohio Department of Public Safety through OCIC within 7 days
- Notify the Auditor of State within 30 days
Many organizations do not struggle because of lack of effort. They struggle because ownership and reporting workflows were never fully defined before an event occurred. Preparing this process in advance is one of the most valuable actions you can take.
Ransomware Decisions Require Formal Leadership Action
HB 96 includes a specific ransomware provision. A political subdivision cannot pay or comply with a ransom demand unless legislative authority approves it through formal action and documents why payment is in the organization’s best interest.
Even if your organization never intends to pay a ransom, planning the decision process ahead of time strengthens readiness and reduces confusion during a high-pressure incident.
A Realistic Path Forward For Local Teams
Most organizations do not need a massive one-time project. They need a right-sized plan that builds momentum, reduces risk, and supports continuity.
A practical approach often includes four steps.
Step 1
Conduct a focused readiness review of your current policies, controls, reporting process, backup strategy, and training posture.
Step 2
Prioritize the highest risk gaps first so effort and budget are directed where they have the greatest impact.
Step 3
Define a clear incident response and reporting workflow, including decision ownership, internal escalation, and required notifications.
Step 4
Implement improvements in phases and maintain the program over time so it remains effective and sustainable.
How Palitto Consulting Services can help
Palitto Consulting Services helps organizations translate legal and operational requirements into an executable plan that your team can maintain. We can support you with:
- Cybersecurity program alignment to NIST and CIS expectations
- Risk identification and prioritization based on operational impact
- Incident response planning and communications workflow design
- Readiness for the 7-day and 30-day notification requirements
- Security awareness planning and role-based training structure
Technical implementation support, including controls hardening, monitoring, and recovery planning
If you already work with internal IT staff or outside vendors, we can also serve as a strategic coordinator to keep priorities clear, roles defined, and progress on schedule.
A Simple Next Step
If you want clarity without overcomplicating the process, start with a short readiness conversation. We can help you quickly answer:
- What already counts toward compliance
- Where your highest priority gaps are
- What practical path gets you to a sustainable program
Contact Palitto Consulting Services to schedule an Ohio HB 96 cybersecurity readiness review.
This post is for informational purposes and is not legal advice. Organizations should consult legal counsel for legal interpretation of statutory obligations.
